User: Password:
Subscribe / Log in / New account


Software liability laws: a dangerous solution

September 5, 2007

This article was contributed by Chase Venters

The readers of LWN do not need to be reminded that the software industry as a whole has a big problem with computer security. One proposal aims to redress this state of affairs: the concept of legislation designed to create financial liability for the vendors of buggy software. This idea is applauded by many such as Bruce Schneier, author of the famous book Applied Cryptography. But despite the support of notable authors, software liability laws are themselves a dangerous liability to the software industry.

One can readily find sympathy in the potential impact of software liability laws on developers of free and open-source software. Many of these developers are working on a volunteer basis, and holding them financially liable for the code they write and release freely could have a chilling effect on the development of free software. Of course, liability laws might be written to exclude programs given away for free, or they might concern themselves with vendors and leave individual developers out of the picture.

Unfortunately, the dangers of software liability laws don't subside when individual developers are granted immunity. One of our community's most prominent projects, the Linux kernel, was never intended to grow off the 386 but is now found running everything from stock markets to supercomputers and military gear. This ubiquity brings demand for services, support, and a single throat to choke, which is the bread and butter of Red Hat and other businesses. When a vendor is selling free software, and we make the vendor financially liable for bugs in the code it is selling but did not write, we risk significant disruption to our cherished development models.

Further complications arise when we imagine possible liability lawsuits. In the event of a security breach, directing blame and assigning liability can be problematic. Picture a system that runs Oracle on top of Red Hat Enterprise Linux, and imagine that the Oracle database is breached due to a bug in glibc. Does the buck stop with Oracle, Red Hat, or both? What if Novell provided the operating system, but the glibc developer who introduced the bug responsible for the breach is paid by Red Hat? An attorney might decide to sue all three parties, especially if it is unclear which component was vulnerable.

Consider also that virtually all software developers attach disclaimers of warranty to their products. These disclaimers are nearly ubiquitous in free software licenses, and are even found attached to some public domain declarations. For software liability laws to have teeth, these disclaimers must be nullified. But when dealing with software designed to address a broad range of users, one must carefully select use cases in which default warranties apply. There is a big difference between a database full of blog postings, a database full of credit card numbers and a database full of top secret government intelligence.

We must also recognize the differences in the types of failures under which warranty is considered appropriate. Ford Police Interceptors had a reputation for exploding when they were rear-ended. Ford also suffered a blow to its reputation, along with tire manufacturer Firestone, when tires on Ford Explorer vehicles were found to spontaneously fail. In both of these cases, the loss of human life was not the result of a willful human actor but was caused instead by spontaneous failure under expected operating conditions. By sharp contrast, software security breaches generally don't endanger life or limb, and successful exploits are not accidents but are rather the result of willful attack.

The difference between accidental and intentional failure is an important one. Because the laws of physics and the nature of accidents do not change, we can expect auto manufacturers to build reliable gas tanks and tires. But in computer security, attackers discover new techniques each and every year. The equation for software is always on the move.

At this point, advocates of software liability laws still hoping to sell their wares need to choose their words carefully, and so they plead for a standard based on best practice. But who defines best practice in an industry that is changing so fast? The pioneers of the Internet didn't predict many of the problems we're facing today, yet few would call them negligent. Real "best practice" is a moving target that is carried by the tides of the times, and in the world of technology, the waves are a mile tall and move thousands of miles per hour.

These and other questions must be addressed if software liability laws are to succeed. Unfortunately, legislators are notoriously bad at understanding and regulating technology. Observers of SCO v. IBM surely agree that court cases are long, complicated and costly. Those with faith in any branch of government to appropriately legislate technology should reexamine the Digital Millennium Copyright Act, a law that continues to have a chilling effect on free software development, and Universal v. Reimerdes, the case in which 2600 Magazine's publication of DeCSS was suppressed.

Security is, of course, a problem, and the case can be made that someone must be held liable. We prosecute the criminals who breach computer security, but if we're going to put burden on anyone else, we should choose the companies that leak personal information to these criminals when their security fails. In some ways, these companies might be held liable today, but we would do well to consider tightening down the screws. By increasing the burden on these data aggregators, the demand for secure software will increase. This gives the best solutions that engineers produce a market advantage, and financially rewards security-conscious vendors. This approach to liability also addresses the need for best practices and defense in depth when implementing and maintaining networks and databases. By concentrating liability in this way, we eliminate the complications that result from playing the blame game with a group of software vendors. Whose security was breached is a much easier question to litigate than how it was done and how it might have been stopped.

As Schneier has pointed out, companies tend to convert variable cost liabilities into fixed cost insurance plans. Insurers have a financial incentive to excel at evaluating risk, and it isn't inconceivable that they might view the use of open code their experts can review a reason to offer lower premiums. Furthermore, putting liability on data aggregators allows those organizations to make choices on how much insurance they are willing to buy. A technologically sound small business might adopt best practices and spend less on insurance, or they might decide to skip out on insurance entirely. But if insurance were expensive and the danger of a security breach was still unacceptable, they might reconsider the practice of permanently storing large amounts of customer data, something that their customers tend to consider an invasion of their privacy anyway.

Software code is quite complex, but we can write all kinds of new and useful software because it is intangible and cheap to produce. Placing liability on software vendors threatens to dramatically change this landscape. We can expect to see reduced participation, hampered innovation, and skyrocketing costs. We should carefully consider whether perfect security is a goal or an expectation, and educate users on the need for compartmentalization, defense in depth, patching, and best practices in their networks. If we approach the issue in this way, we can improve security overall with minimal risk to the efficiency of the software industry.

Comments (32 posted)

New vulnerabilities

aide: checksum errors

Package(s):aide CVE #(s):CVE-2007-3849
Created:September 4, 2007 Updated:September 5, 2007
Description: Advanced Intrusion Detection Environment (AIDE) is a file integrity checker and intrusion detection program. A flaw was discovered in the way file checksums were stored in the AIDE database. A packaging flaw in the Red Hat AIDE rpm resulted in the file database not containing any file checksum information. This could prevent AIDE from detecting certain file modifications.
Red Hat RHSA-2007:0539-01 aide 2007-09-04

Comments (none posted)

clamav: multiple vulnerabilities

Package(s):clamav CVE #(s):CVE-2007-4510 CVE-2007-4560
Created:September 3, 2007 Updated:February 13, 2008
Description: Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-4510: It was discovered that the RTF and RFC2397 parsers can be tricked into dereferencing a NULL pointer, resulting in denial of service.

CVE-2007-4560: It was discovered clamav-milter performs insufficient input sanitizing, resulting in the execution of arbitrary shell commands.

Fedora FEDORA-2008-1608 clamav 2008-02-13
Fedora FEDORA-2008-0170 clamav 2008-01-22
Gentoo 200709-14 clamav 2007-09-20
Fedora FEDORA-2007-2050 clamav 2007-09-07
Mandriva MDKSA-2007:172 clamav 2007-08-31
Debian DSA-1366-1 clamav 2007-09-01

Comments (none posted)

fetchmail: denial of service

Package(s):fetchmail CVE #(s):CVE-2007-4565
Created:September 5, 2007 Updated:October 30, 2009
Description: fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.
CentOS CESA-2009:1427 fetchmail 2009-09-08
Red Hat RHSA-2009:1427-01 fetchmail 2009-09-08
CentOS CESA-2009:1427 fetchmail 2009-10-30
Ubuntu USN-520-1 fetchmail 2007-09-26
Debian DSA-1377-2 fetchmail 2007-09-21
Debian DSA-1377 fetchmail 2007-09-21
Mandriva MDKSA-2007:179 fetchmail 2007-09-11
Foresight FLEA-2007-0053-1 fetchmail 2007-09-06
rPath rPSA-2007-0178-1 fetchmail 2007-09-05
Fedora FEDORA-2007-1983 fetchmail 2007-09-04
Fedora FEDORA-2007-689 fetchmail 2007-09-04

Comments (none posted)

gallery2: multiple unspecified vulnerabilities

Package(s):gallery2 CVE #(s):CVE-2007-4650
Created:September 5, 2007 Updated:November 9, 2007
Description: Multiple unspecified vulnerabilities in Gallery before 2.2.3 allow attackers to (1) rename items, (2) read and modify item properties, or (3) lock and replace items via unknown vectors in (a) the WebDAV module; and (4) edit unspecified data files using "linked items" in (a) WebDAV and (b) Reupload modules.
Debian DSA-1404-1 gallery2 2007-11-08
Gentoo 200711-03 gallery 2007-11-01
Fedora FEDORA-2007-2020 gallery2 2007-09-04

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-0558 CVE-2007-1217
Created:September 4, 2007 Updated:November 14, 2007
Description: A flaw in the ISDN CAPI subsystem could allow a remote user to cause a denial of service or potential remote access. Exploitation would require the attacker to be able to send arbitrary frames over the ISDN network to the victim's machine.

A flaw in the perfmon subsystem on ia64 platforms could allow a local user to cause a denial of service.

Red Hat RHSA-2007:0671-01 kernel 2007-08-16
Red Hat RHSA-2007:0673-01 kernel 2007-08-08
Red Hat RHSA-2007:0672-01 kernel 2007-08-08
Red Hat RHSA-2007:0705-01 kernel 2007-09-13
Red Hat RHSA-2007:0774-01 kernel 2007-09-04

Comments (none posted)

krb5: buffer overflow, uninitialized pointer

Package(s):krb5 CVE #(s):CVE-2007-3999 CVE-2007-4000
Created:September 4, 2007 Updated:March 24, 2008
Description: Tenable Network Security discovered a stack buffer overflow flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash.

Garrett Wollman discovered an uninitialized pointer flaw in kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash.

Fedora FEDORA-2008-1017 libtirpc 2008-03-06
SuSE SUSE-SR:2007:024 cacti, openldap2, phpPgAdmin, ruby, perl, rubygem-activesupport, yast2-core, librpcsecgss, liblcms 2007-11-22
Debian DSA-1387 librpcsecgss 2007-10-15
Gentoo 200710-01 librpcsecgss 2007-10-04
Red Hat RHSA-2007:0951-01 nfs-utils-lib 2007-10-02
Red Hat RHSA-2007:0913-01 nfs-utils-lib 2007-09-19
Trustix TSLSA-2007-0026 apache, clamav, kerberos5, php, rsync, tar, vim 2007-09-17
Mandriva MDKSA-2007:181 librpcsecgss 2007-09-12
Gentoo 200709-01 mit-krb5 2007-09-11
Ubuntu USN-511-2 krb5, librpcsecgss 2007-09-07
Mandriva MDKSA-2007:174-1 krb5 2007-09-07
Fedora FEDORA-2007-694 krb5 2007-09-07
Fedora FEDORA-2007-2066 krb5 2007-09-07
Debian DSA-1367-2 krb5 2007-09-06
Foresight FLEA-2007-0050-1 krb5 2007-09-06
Mandriva MDKSA-2007:174 krb5 2007-09-06
Red Hat RHSA-2007:0892-01 krb5 2007-09-07
rPath rPSA-2007-0179-1 krb5 2007-09-06
Ubuntu USN-511-1 krb5, librpcsecgss 2007-09-04
Fedora FEDORA-2007-2017 krb5 2007-09-04
Fedora FEDORA-2007-690 krb5 2007-09-04
Debian DSA-1368-1 librpcsecgss 2007-09-04
Debian DSA-1367-1 krb5 2007-09-04
Red Hat RHSA-2007:0858-01 krb5 2007-09-04

Comments (none posted)

mapserver: multiple cross-site scripting vulnerabilities

Package(s):mapserver CVE #(s):CVE-2007-4542 CVE-2007-4629
Created:September 5, 2007 Updated:April 7, 2008

CVE-2007-4542: Multiple cross-site scripting (XSS) vulnerabilities in MapServer before 4.10.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the (1) processLine function in maptemplate.c and the (2) writeError function in mapserv.c in the mapserv CGI program.

CVE-2007-4629: Buffer overflow in the processLine function in maptemplate.c in MapServer before 4.10.3 allows attackers to cause a denial of service and possibly execute arbitrary code via a mapfile with a long layer name, group name, or metadata entry name.

Debian DSA-1539-1 mapserver 2008-04-04
Fedora FEDORA-2007-2018 mapserver 2007-09-04

Comments (none posted)

postfix-policyd: arbitrary code execution

Package(s):postfix-policyd CVE #(s):CVE-2007-3791
Created:August 30, 2007 Updated:September 5, 2007
Description: The postfix-policyd anti-spam plugin for the postfix mta does not correctly test the bounds of incoming SMTP commands. This can be exploited for the remote execution of arbitrary code.
Debian DSA-1361 postfix-policyd 2007-08-29

Comments (none posted)

tcp-wrappers: unauthorized access

Package(s):tcp-wrappers CVE #(s):CVE-2007-5137
Created:August 30, 2007 Updated:October 13, 2007
Description: The TCP wrapper library can improperly allow connections to services that do not have server-side connection details specified. Remote attackers can connect to blocked services.
Ubuntu USN-507-1 tcp-wrappers 2007-08-30

Comments (none posted)

vavoom: multiple vulnerabilities

Package(s):vavoom CVE #(s):CVE-2007-4533 CVE-2007-4534 CVE-2007-4535
Created:September 5, 2007 Updated:September 5, 2007
Description: Security update fixing various format strings vulnerabilities and a DOS vulnerability in the vavoom server, this fixes: CVE-2007-4533, CVE-2007-4534 & CVE-2007-4535. Also see bugzilla bug 256621.
Fedora FEDORA-2007-1977 vavoom 2007-09-04

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds